Windows to Mainframe: Common Communications Interface › SSL Tab

SSL Tab

The SSL tab lets you select the Secured Sockets Layer (SSL) to provide secured transport and to define relevant parameters for CAICCI on Windows.

For the protocol to be active, the PC must connect to a mainframe server that supports SSL (CCISSL). A PC running SSL-enabled CAICCI code that connects to a server that does not support SSL either reverts to the standard unsecured protocol or has its connection request rejected, depending on the selected SSL encryption option.

Force Secure end-to-end connection

Selecting this option informs CAICCI that end-to-end SSL is required for all CCI requests. A secured link must be in place from the PC to the receiving application target host including any intermediate hosts acting as routers to the target host. Since SSL is also required for the PC connection to its mainframe server, selecting this option also forces on the option for Force secure connection from PC to Host.

Force secure connection from PC to Host

Selecting this option specifies that the PC requires an SSL connection to its mainframe server. If the server does not support SSL, the connection request fails.

Defer decision to host

Selecting this option defers the decision of establishing a secured SSL connection to the mainframe server. An SSL connection is established only if the mainframe server requires it.

Disable secure connection on the PC

Selecting this option disables SSL on the PC. If the mainframe server requires a secured SSL connection, the connection request fails.

Note: The PC application can programmatically specify and override the settings of the SSL Tab.

The SSL Tab contains the following fields to locate certificates. The end-user certificates are supported in PKCS#12 format. Both user and CA certificates can be stored and accessed from the Windows Certificate Store.

SSL Path

Specifies the name of the directory path where CAICCI-PC searches for certificates unless overridden by one of the fields that are described in this list.

Client Certificate

This field specifies the absolute path and name of a file (if the file name starts with a "drive_letter:\") or the relative path and name of a file (relative to SSL Path) containing the Public Key Infrastructure (PKI) private key and certificate that the PC uses to identify itself to the mainframe server. If Client Certificate has a file type of "*.p12", the certificate is assumed to be in PKCS#12 format. Otherwise the certificate is assumed to be in PEM format.

The Client Certificate field can also reference a certificate within the Windows Certificate Store. This reference cannot be by filename but rather is through an entity within the certificate. The following methods can be used to reference a certificate within the Windows Store:

• Specify a character string that is contained within the certificate's Subject Name, which is enclosed within double quotes. For example, specify: "substring". Multiple certificates can match on a substring. The first match is used. Specify enough of the certificate’s Subject Name to ensure that the desired certificate is selected. If multiple certificates have the same Subject Name, then do not use this method.
• Specify the entire hex string of the Thumbprint for the certificate, which is enclosed within < >. For example, specify: <xx xx xx xx... xx>. The thumbprint is unique.

PKI Password

This field specifies the password for the Client Certificate that lets CAICCI-PC access the certificate PKI private key. The password is required when Client Certificate specifies a filename. The password for a certificate residing within the Windows Certificate store is required at the time that the certificate is imported into the store. The password is not required here.

CA Certificates

This field specifies the absolute path and name of a file (if the file name starts with a "drive_letter:\") or the relative path and name of a file (relative to SSL Path) containing one or more concatenated Certificate Authority certificates that the PC uses to authenticate certificates that are received from its server.

The CA Certificates field can also reference a CA certificate within the Windows Certificate Store. This reference cannot be through a filename but rather is through an entity within the CA certificate. The following methods can be used to reference a CA certificate within the Windows Store:

• Specify a character string that is contained within the CA certificate's Subject Name, which is enclosed within double quotes. For example, specify: "substring". Multiple CA certificates can match on a substring. The first match is used. Specify enough of the CA certificate’s Subject Name to ensure that the desired certificate is selected. If multiple CA certificates have the same Subject Name, then do not use this method.
• Specify the entire hex string of the CA certificate thumbprint, which is enclosed within < >. For example, specify: <xx xx xx xx... xx>. The thumbprint is unique.

CA Directory

This field specifies the absolute path and name of a directory (if the directory name starts with a "drive_letter:\") or the relative path and name of a directory (relative to SSL Path) containing the Certificate Authority certificate files that the PC uses to authenticate certificates that are received from its server.

The individual Certificate Authority certificate files are named after their subject name hash value. At startup, SSL first loads certificates from the CA Certificates file. During the connection time, if SSL cannot find the required CA certificate, it then checks this directory.

SSL Verify Depth

This field specifies the maximum depth of the certificate verification chain. A value of 1 allows the check of the peer certificate and one Certificate Authority certificate. Higher values allow checks for more Certificate Authority certificates.